About this video

• Video Title: Cisco ISE: External Certificate Integration Guide (Step by Step)
• Channel: Silesio Carvalho
• Speakers: Silesio Carvalho
• Duration: 00:11:18

Overview

This video provides a step-by-step guide on how to replace the default self-signed certificate on Cisco ISE with a certificate signed by an external root Certificate Authority (CA). This is crucial for enhancing network security and ensuring continued access to Cisco ISE functionalities, as self-signed certificates can expire and cause trust issues for endpoints and administrators.

Key takeaways

• Security Risk of Default Certificates: Using Cisco ISE's default self-signed certificate poses a security risk because it can expire, leading to endpoints distrusting ISE and administrators losing access.
• Importance of External CA Certificates: Cisco recommends using certificates signed by a trusted root CA for better security and reliability, which requires a Public Key Infrastructure (PKI).
• Integration Process Overview: The process involves importing the root CA certificate into Cisco ISE, generating a Certificate Signing Request (CSR), having it signed by the root CA, and then binding the signed certificate back to ISE.
• Key Steps in Cisco ISE: The guide demonstrates navigating to Administration > Certificates, importing the root CA, generating a CSR with appropriate configurations (multi-use, FQDN, IP address), exporting the CSR, obtaining the signed certificate, and binding it to the Cisco ISE node.
• Impact of Certificate Replacement: Replacing the certificate requires a service restart and can lead to downtime, making it essential to perform during a maintenance window.

Here are the step-by-step instructions for integrating an external certificate with Cisco ISE, as demonstrated in the video:

1. Download the Root CA Certificate:

   • Navigate to your root CA server (in the video, a Windows Server acting as a root CA is used).
   • Access the CA's interface and locate the option to download the CA certificate.
   • Select "Base 64" encoding and download the certificate file. Save it with a recognizable name (e.g., root CA.crt).

2. Import the Root CA Certificate into Cisco ISE:

   • Log in to Cisco ISE.
   • Navigate to Administration > Certificates > Trusted Certificates.
   • Click Import.
   • Choose the downloaded root CA certificate file.
   • Provide a name for the certificate (e.g., binaryavenue root CA).
   • Select the trust purposes: Client Authentication, Base Cisco Services. You can select all relevant options.
   • Click Submit.

3. Generate a Certificate Signing Request (CSR) in Cisco ISE:

   • Navigate to Administration > Certificates > Certificate Signing Requests.
   • Click Generate Signing Request.
   • Choose Multi-Use for the certificate type, as it will be used for various functions.
   • Specify the Node (e.g., IO1).
   • Enter the Common Name (CN), which should be the Fully Qualified Domain Name (FQDN) of your ISE node (e.g., io1.binaryavenue.com).
   • Fill in the Organization Unit and Organization fields as needed.
   • For Subject Alternative Name (SAN):
     • Add the FQDN as a DNS name.
     • Add the IP address of the ISE node (e.g., 192.168.1.4321).
   • Leave other fields as default unless specific requirements dictate otherwise.
   • Click Generate.

4. Export the CSR:

   • Once the CSR is generated, select it.
   • Click Export.
   • Open the exported CSR file (e.g., using Notepad).
   • Copy the entire content of the CSR file.

5. Request Certificate Signing from the Root CA:

   • Go back to your root CA server.
   • Access the Advanced Certificate Request option.
   • Paste the copied CSR content into the appropriate field.
   • Select the Certificate Template as Web Server.
   • Submit the request.

6. Download the Signed Certificate:

   • The CA will issue the certificate.
   • Select the issued certificate and choose to download it in Base 64 format.
   • Save the downloaded certificate with a descriptive name (e.g., certificate signed by root CA.crt).

7. Bind the Signed Certificate in Cisco ISE:

   • Return to Cisco ISE.
   • Navigate to Administration > Certificates > Certificate Signing Requests.
   • Select the CSR that was generated earlier.
   • Click the Bind Certificate option.
   • Choose the certificate file that was just signed by the root CA.
   • Provide a friendly name for the new certificate (e.g., IO1 sign certificate).
   • Assign the Usage for the certificate:
     • EP Authentication
     • RADIUS DTLS
     • PX Grid (if applicable)
     • Eye Messaging Service
     • Portal (select all portal options, including guest services if needed).
   • Important: Be cautious when selecting Admin usage, as this will cause the Cisco ISE application to restart. It's recommended to perform this during a maintenance window.
   • Click Submit. You may receive warnings about replacing the certificate and the application restarting. Confirm these actions.

8. Verify the New Certificate:

   • After Cisco ISE restarts, navigate back to Administration > Certificates.
   • You should see the newly installed certificate listed, showing it's signed by the root CA and its usage.
   • Test access to ISE and its functionalities to ensure everything is working correctly.